Search This Blog

Showing posts with label Secret Keys. Show all posts

Using Blatant Code, a New Nokoyawa Variant Sneaks up on Peers

 

Nokoyawa is a new malware for Windows that first appeared early this year. The first samples gathered by FortiGuard researchers were constructed in February 2022 and contain significant coding similarities with Karma ransomware that can be traced back to Nemty via a long series of variants. 

NOKOYAWA is a ransomware-type piece of malware that the research team discovered and sampled from VirusTotal. It's made to encrypt data and then demands payment to decode it. 

FortiGuard Labs has seen versions constructed to run only on 64-bit Windows, unlike its precursor Karma, which runs on both 32-bit and 64-bit Windows. For customized executions, Nokoyawa provides many command-line options: help, network, document, and Encrypt a single file using the path and dir dirPath. 

Nokoyawa encrypts all local disks and volumes by default if no argument is provided. The "-help" argument is intriguing because it shows that the ransomware creators and the operators who deploy and execute the malware on affected PCs are two independent teams. Nokoyawa encrypts files that do not end in.exe,.dll, or.lnk extensions using multiple threads for speed and efficiency. Furthermore, by verifying the hash of its names with a list of hardcoded hashes, some folders, and their subdirectories are prohibited from encryption.

Nokoyawa produces a fresh ephemeral keypair (victim file keys) for each file before encrypting it. A 64-byte shared secret is produced with Elliptic-Curve Diffie-Hellmann using the victim file's private key and the threat actors' "master" public key (ECDH). For encrypting the contents of each file, the first 32 bytes of this secret key are used as a Salsa20 key, together with the hardcoded nonce 'lvcelvce.' 

RURansom, A1tft, Kashima, and pEaKyBlNdEr are just a few of the ransomware programs that have been looked into. The encryption algorithms they utilize (symmetric or asymmetric) and the ransom size are two key variations between malicious applications of this type. The magnitude of the requested sum can vary dramatically depending on the intended victim. 

How does ransomware get into my system? 

The majority of the additional code was taken exactly from publicly available sources, including the source of the now-defunct Babuk ransomware leaked in September 2021, according to FortiGuard Labs experts. 

Malware including ransomware is spread using phishing and social engineering techniques. Malicious software is frequently disguised as or integrated with legitimate files. 

The email addresses were eliminated and were replaced with directions to contact the ransomware authors using a TOR browser and a.onion URL. When you're at the Onion URL, you'll be taken to a page with an online chatbox where you can chat with the operators, negotiate and pay the ransom. 

Researchers from FortiGuard Labs detected a dialogue between a potential victim and the ransomware operator. The threat actors offer free decryption of up to three files based on this chat history to demonstrate that they can decrypt the victim's files.

The ransom amount, in this case, a whopping 1,500,000 (likely in USD), is displayed on the "Instructions" page and can be paid in either BTC (Bitcoin) or XMR(Monero). The operators claim to deliver the tool to decrypt the victim's files after payment.

Given the rising professionalism of certain ransomware efforts, this TOR website could be an attempt to better "branding" or a technique to delegate ransom discussions to a separate team. Surprisingly, the ransom note contains the following content. "Contact us to strike a deal or we'll publish your black s**t to the media," the message says, implying that the victim's data was stolen during the infection.

Drive-by (stealthy and deceptive) downloads, spam email (malicious files attached to or compromised websites linked in emails/messages), untrustworthy download channels (e.g., peer-to-peer sharing networks, unofficial and freeware sites, etc.), illegal software activation ("cracking") tools, online scams, and fake updates are among the most common distribution methods. 

How can we defend from ransomware?

It is strongly advised you only use legitimate and trusted download sources. Furthermore, all apps must be activated and updated through tools given by genuine providers, as third-party tools may infect the system. 

Experts also recommend against opening attachments or links received in questionable emails or messages, as they may contain malware. It is critical to install and maintain a reliable anti-virus program. 

Regular system scans and threats/issues must be removed using security software. If the machine has already been infected with NOKOYAWA, we recommend using Combo Cleaner Antivirus for Windows to automatically remove it.

Thousands of Secret Keys Discovered in Leaked Samsung Source Code

 

Thousands of secret keys were exposed in the recently stolen Samsung source code, according to an analysis, including several that might be extremely beneficial to nefarious actors. GitGuardian, a business that specialises in Git security scanning and secret detection, conducted the research. 

The firm's analysts examined source code that was recently stolen by a cybercrime outfit known as Lapsus$. In recent weeks, the hackers claim to have hacked into several large corporations, including NVIDIA, Samsung, Ubisoft, and Vodafone. They appear to have acquired source code from the victims in numerous cases, some of which have been made public. Cybercriminals claim to have stolen 190 GB of data from Samsung, and the tech giant has verified that the hacked data contained the source code of Galaxy devices. 

More than 6,600 secret keys were discovered during GitGuardian's analysis of the exposed Samsung source code, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys. The number of valid keys revealed is yet to be determined by the firm's researchers. However, 90 percent are likely related to internal systems, which may be more difficult for an attacker to use, according to their research. The remaining keys, which number around 600, can give attackers access to a wide range of systems and services. 

“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google,” explained Mackenzie Jackson, developer advocate at GitGuardian. 

The exposure of specific keys, according to Casey Bisson, head of product and developer relations at code security firm BluBracket, might lead to the TrustZone environment on Samsung devices being hacked. Researchers are yet to determine whether the revealed keys undermine the TrustZone, which holds sensitive data like fingerprints and passwords and acts as a security barrier against Android malware attacks. 

Bisson told SecurityWeek, “If the leaked data allows the malware to access the TrustZone environment, it could make all data stored there vulnerable. If Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment. Compromised keys would make this a more significant attack than Nvidia, given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.”

GitGuardian reviewed the source code leaked from Amazon's live streaming service Twitch, from which hackers obtained and made public around 6,000 internal Git repositories, a few months ago. AWS keys, Twilio keys, Google API keys, database connection strings, and GitHub OAuth keys were among the secrets found by GitGuardian in those repositories.